Simulation of a High Speed Counting System for Sic Neutron Sensors

Triangle Symposium on Advanced ICT 2008 (TriSAI 2008) ICU, Daejeon, Korea, October 6-9, 2008

Mutually Authenticated Key Exchange Protocol for Computationally Limited Devices

Zeen Kim*, Youngdoo Kang** and Kwangjo Kim* *School of Engineering, Information and Communications University, {zeenkim, kkj}@icu.ac.kr ** Instrumentation and Control Dept., Korea Institute of Nuclear Safety, [email protected]

Abstract. analysis of the protocol is given in Section 4. We In this paper, we consider the problem of mutually conclude with some further works in Section 5. authenticated key exchanges between a computationally limited client and a powerful server. There are several schemes which solved this situation. Previous schemes succeed to reduce the computational load at client side but 2. Related Work there exist some security holes on each scheme. We propose a new scheme for achieving mutually authenticated key Although there is a long history of designing exchanges. The protocol satisfies all security requirements of MAKEPs and many protocols have been proposed for authenticated key exchange protocols. We also compare our various kinds of distributed systems, they seldom scheme and previous schemes in security achievements. designed for such an unbalanced system setup. Recently several schemes have been proposed for systems with Keywords. Authenticated key exchange, asymmetric unbalanced computational power. Jakobsson and computing power Pointcheval proposed a MAKEP which improves on efficiency by using precomputation [5] (JP-MAKEP, Figure 1). Wong and Chan showed that Jakobsson and 1. Introduction Pointcheval protocol is susceptible to a variant of interleaving attacks and proposed an improvement to A mutually authenticated key exchange protocol Jakobsson-Pointcheval protocol (WC-MAKEP, Figure (MAKEP) between two communicating entities 2). provides assurance that they know each other's identity and at the same time shares a common key known only to the two legitimate parties. In spite of the remarkable increase in the availability of computing resources there has been considerable interest in protocols that can be implemented on devices with limited computational power. Such a computationally limited device could be a mobile station, Personal Digital Assistant (PDA), a cellular phone or a smart card in real applications. Very often the low power device is a client required Figure1. Jacobsson and Pointcheval Protocol to establish a key with a computationally powerful server, a powerful server could be a base station, set-top box or the security center of a wireless network, and so an acceptable solution may have unbalanced computational requirements: the server end can bear an increased computational load in order to ease the load on the client side. Another effective technique is to allow the client side to precompute values which can be used during the protocol execution; mobile terminals typically have the opportunity to make offline Figure 2. Wong-Chan Protocol computations during the idle time between awaiting calls. In [3], Choo et al. describe an unknown key share In this paper, we propose a new scheme which not attack on the JP-MAKEP which breaks the reduction of only gives the same scalability as other public-key the proof from JP-MAKEP to the discrete logarithm based schemes do, but also satisfies all security problem. Similarly to the Boyd-Gonzalez Nieto requirements for authenticated key exchange protocol protocol, the proof model allows Corrupt queries for which is given by Menezes et al. [1]. clients, and hence secure protocols ought to be immune The remainder of the paper is organized as follows. to unknown key share attacks. The authors claim there In Section 2, we describe some previous result on exist an attack against WC-MAKEP which is described MAKEP for computationally limited devices and their where an adversary A is able to obtain a fresh key of an security. In Section 3, we introduce a new protocol initiator oracle by revealing a non-partner server oracle referred to as A-MAKEP (Asymmetric Mutually sharing the same session key. The proof was sketchy Authenticated Key Exchange Protocol). A security and failed to provide any simulation. Triangle Symposium on Advanced ICT 2008 (TriSAI 2008) ICU, Daejeon, Korea, October 6-9, 2008

3. Our Scheme H(k ⊕ x||B) and ¯finds a new session key H(σ).

In this section, we propose a novel mutually authenticated key exchange protocol which designed for Then the client sends {R, Ek(s), H(σU) } 1 to the computationally limited client and a powerful server. server. 1 The proposed protocol consists of three phases; setup 5. Upon receiving {R, Ek(s) , H(σU)} , the server phase, registration phase, and session key establishment decrypts Ek(s) and obtain s. Then the server phase. ⊕ computes R·vH(k B) and checks this value equals to 3.1 Setup Phase

At first, the server chooses two large random primes p and gs mod φ(N). If the check fails, the server terminates q, then he compute N = pq. Let g be the maximum order in the the protocol with failure. Otherwise, the server finds multiplicative group ZN* and H be a cryptographic one-way hash function. The server determines a pair of public and secret keys (e; d), which satisfies ed = 1 mod φ(N) with σ = H(k ⊕ x||B) and computes a new session key gcd(e,φ(N)) = 1. Then he publishes N, g, H, e and keep p, q, d secret.

H(σ). The sever computes H(σL) and sends H(σL) to the client. At same time, the server can confirm that 3.2 Registration Phase the client has a exact session key by the value of The client with identification ID chooses a prime number as H(σU). -x 6. The client confirms that the server has a exact secret key x in ZN*, and computes v = g mod N. Then, he sends {ID, v} to the server. Upon receiving the message, the session key by the value of H(σL). server computes the client's public key y as y = (v - ID)d mod N. Then he forwards y is a long-life key it can be used in the The session key establish phase is shown as Figure 3. session key establishment phase so many times if needed.

3.3 Session Key establishment Phase

Whenever the client wants to generate a new session key with the server, he executes the followings:

(Precomputation) The server selects k, r∈Z*N and

r computes g and x = EPK(k). Figure 3. Key Establishment Phase 1. The client sends {ID, y, x} to the server. 2. The server checks v = ye + ID mod N. If the check fails, he terminates the protocol run with failure. 4. Security Analysis Otherwise, the server decrypt x and obtain k. The security of our proposed protocol is based on the secure one-way hash function, computational Diffie- a -a 3. The server selects a ∈R ZN, computes A = g , B = v Hellman problem (CDH), and RSA problem. In this section, we discuss about the security goals and attributes on the key exchange protocol. Then, we = gax, l = H(k||A) and sends {A, l} to the client. analyze that our proposed protocol satisfies all security 4. After receiving {A, l}, the client computes l’ = H(k|| requirements for key exchange protocol. A) and checks l = l’. If the check fails, the server stops the protocol run with failure. Otherwise, the 4.1 Security Requirements

client computes Ax = gax = B, s = r - x H(k⊕B), σ =

1 σL and σL denotes upper half bits and lower half bits of σ, respectively. Triangle Symposium on Advanced ICT 2008 (TriSAI 2008) ICU, Daejeon, Korea, October 6-9, 2008

The fundamental security goals of key establishment because he doesn't know ephemeral private keys r, k, protocols are said to be implicit key authentication and and a. Therefore the protocol still achieves its goal in explicit key authentication. Let A and B be two honest the face of the adversary. entities, i.e., legitimate entities who execute the steps of It also possesses forward secrecy provided that EKA a protocol correctly. Informally speaking, a key of all session keys is supplied. Suppose that static agreement protocol is said to provide implicit key private keys x and PK of the client and the server, authentication (IKA) (of B to A) if entity A is assured respectively, are compromised. However, the secrecy of that no other entity aside from a specifically identified previous session keys established by honest entities is second entity B can possibly learn the value of a not affected, because it is difficult to compute valid s particular secret key. A key agreement protocol which and B by the randomness of the ephemeral private keys provides implicit key authentication to both and computational hardness of gax from ga and gx. participating entities is called an authenticated key It resists key-compromise impersonation. Though the agreement (AK) protocol. A key agreement protocol is client's static private key x is disclosed, this loss does said to provide key confirmation (of B to A) if entity A not enable an adversary to impersonate the server to the is assured that the second entity B actually has client, since the adversary still cannot decrypt EPK(k). possession of a particular secret key. If both implicit Without knowing the static private key of the server, key authentication and key confirmation (of B to A) are SK, the adversary cannot compute valid H(k||A). provided, the key establishment protocol is said to Similarly, though the server's static private key SK is provide explicit key authentication (EKA) (of B to A). A disclosed, it is difficult that an adversary impersonates key agreement protocol which provides explicit key the client to the server, since the adversary cannot authentication to both entities is called an authenticated compute valid s. Without knowing the static private key key agreement with key confirmation (AKC) protocol. of the client, x, the adversary cannot find actual B. Desirable security attributes of AK and AKC It also prevents unknown key-share. According to the protocols are known key security (a protocol should still achieve its goal in the face of an adversary who has ⊕ φ learned some other session keys - unique secret keys verification of R·vH(k B) = gs mod (N) that the server has which each run of a key agreement protocol between A and B should produce.), forward secrecy (if static private keys of one or more entities are compromised, verified that the client possesses the private key x the secrecy of previous session keys is not affected.), corresponding to her static public key v by the checking key-compromise impersonation (when A's static private , an adversary can't register the client's public key v as key is compromised, it may be desirable that this event its own. From the checking l is equal to H(k||A), an does not enable an adversary to impersonate other adversary cannot register the server's public key PK as entities to A.), unknown key-share (entity B cannot be its own. This is from the hardness of the decrypting coerced into sharing a key with entity A without B's EPK(k). knowledge, i.e., when B believes the key is shared with Table 1 contains a summary of the security services that are believed to be provided by JP-MAKEP, WC- MAKEP, and A-MAKEP. O means that the assurance some entity C ≠ A, and A correctly believes the key is is provided. X represents that the assurance is not provided. M/A means the mutual authentication. shared with B.), etc. The following abbreviations are used for clear Table 1. Comparison with previous schemes understanding: IKA denotes implicit key authentication, EKA explicit key authentication, KKS known-key JP-MAKEP WC-MAKEP A-MAKEP security, FS forward secrecy, KCI key-compromise IKA O O O impersonation, and UKS unknown key-share. EKA X X O Desirable performance attributes of AK and AKC KKS O O O protocols include a minimal number of passes, low FS X X O communication overhead, low computation overhead KCI O O O and possibility of precomputations. UKS X O O M/A O X O 4.2 Security Analysis

Now, we consider the security of our protocol. The protocol provides known-key security. Each run 5. Conclusion of the protocol between the client and the server should In this paper, we proposed a new mutually produce a unique session key which depends on k, x, a authenticated key exchange protocol for and r. Although an adversary has learned some other computationally limited devices, called A-MAKEP. session keys, he can't compute s and gax from them, Triangle Symposium on Advanced ICT 2008 (TriSAI 2008) ICU, Daejeon, Korea, October 6-9, 2008

The main interest of this scheme is how to reduce the computational burden at the low-power device side. For this, we compute some values which will be used in session key agreement phase before online communications. Another important feature of our proposed protocol compared to previous MAKEP schemes is that our proposed scheme satisfies all security requirements for authenticated key exchange protocol. Our remained problem is to reduce the computational complexity on the client side as efficient as WC-MAKEP in spite of satisfying all security requirements.

Acknowledgement

This work was supported by the Korea Institue of Nuclear Safety under the Grant RS08-23-PL.

REFERENCES

[1] Simon Blake-Wilson and Alfred Menezes, “Authenticated Diffie-Hellman key agreement protocols,” In proceedings of SAC '98, LNCS Vol.1556, pages 339-361, Springer- Verlag, 1998. [2] C. Boyd and A. Mathuria, “Protocols for Authentication and Key Establishment,” Springer-Verlag, 2003. [3] Kim-Kwang Raymond Choo, Colin Boyd, and Yvonne Hitchcock, “Errors in Computational Complexity Proofs for Protocols,” In proceedings of Asiacrypt 2005, Springer-Verlag, 2005. [4] M. Girault, “Self-certified public keys,” In proceedings of EUROCRYPT '91, pages 490-497, Springer-Verlag, 1991. [5] M. Jakobsson and D. Pointcheval, “Mutual Authentication and Key Exchange Protocol for Low Power Devices,” In proceedings of FC 2001, LNCS Vol.2339, pages 169-186, Springer-Verlag, 2001. [6] D. S. Wong and A. H. Chan, “Efficient and Mutually Authenticated Key Exchange for Low Power Computing Devices,” In proceedings of Asiacrypt 2001, LNCS Vol.2248, pages 172-289. Springer- Verlag, 2001. [7] http://www.ehomeupgrade.com/archives/000219.php [8] http://www.cr0.net:8040/about/